Bitcoin Faucet - Two Weeks In

Yesterday marked the two-week anniversary of my bitcoin faucet. So, I
want to share some thoughts on what it's been like running it.
Interestingly, the day I started my faucet happens to be the same day
my keyboard was manufactured 26 years ago. :P

Before I get started, I'd like to take a moment to thank my loyal users
for their continued enjoyment of the faucet, and for propelling my
faucet to the top of the charts!

Stats

It's been an exciting couple of weeks, watching this little experiment
take off, and I've been gathering all kinds of data. So, I'd like to give
y'all an idea of what the first two weeks looked like.

FaucetBOX.com List Ranking

As you can see, my faucet reached the top 100 after just four days of
existence, and broke into the top 50 just one week later! It's still
going strong, despite being the youngest faucet within the top 50, and
I'm prediciting it will hit the top 25 within a week or so.

Average Hourly Payout per Day

A better indication of activity would be to look at the average number
of hourly payouts. This shows that my faucet is healthy and growing,
providing plenty of satoshi to my users.

The demand on my faucet is only going one way: up.

Traffic

This graph also echoes the fact that things are on the up-and-up!
If you're paying attention, you'll have noticed the sudden jump in
pageviews on Oct. 20. This was due to a short-lived attack attempt
by a few bots that have since been beaten back into the cyber-oblivion
from whence they came. You can see from looking at the payouts graph
that they weren't overly successful.

Unsurprisingly, ifaucet.net has been the top referrer over these last
couple of weeks, making them a valuable channel for any faucet. Other
sources also contributed a significant share of referrals.

The Advertisements stat were ads ran by others, not by me. So, I'd
like to say thanks to those such as
The Faucet Runner
who by running these ads on their own dime have helped promote my faucet!

Despite my current rank in their list, Faucetbox itself isn't yet a
significant contributor of traffic.

On CAPTCHAs

When I started my faucet, I tapped the well-known
reCAPTCHA
to act as a front-line discriminator between bots and humans.
While it's true that reCAPTCHA offers a nice user experience, sadly it has
fallen short of my personal expectations.

To be fair, I seem to recall that stopping bots was never the first goal
of reCAPTCHA. As far as I recall, it was to assist in digitizing books and
deciphering house numbers and street signs. With reCAPTCHA 2.0, I was
greatly impressed with the user experience it offers.

As an experiment, on October 21, I decided to roll out
Funcaptcha
as I was intrigued to see how well it would perform in comparison.
I have seen a definite increase in the number of CAPTCHA fails versus
reCAPTCHA in the time since. So far, my only complaints are that
Funcaptcha doesn't offer daily or hourly stats, as far as I can tell,
and that sometimes it takes too damn long to validate a CAPTCHA result.
The worst part is that my users will see lots of timeouts during periods
of high activity, and this degrades the user's experience substantially.

reCAPTCHA's average response time during the time I had it on the site was
a mere 50 ms, and it was very consistent, even during periods of heavy
load. Funcaptcha's average response time during the last 7 days was
432 ms., which isn't that great, but it is okay. It's relatively close
to FaucetBOX's average response time of 390 ms. But, I can't help but
wonder if Funcaptcha is also written in PHP, or perhaps Java. Either
one might could explain the slow performance. Or, perhaps the fellers
down there need to upgrade their infrastructure. :)

EDIT: Oct 31.: Added a graph of Funcaptcha request times.

Does Funcaptcha do what it's supposed to do? Certainly. It's also
worthwhile to note that CAPTCHA solving services exist for reCAPTCHA
even the "no CAPTCHA" variant, as well as for several others such as
Solve Media. Although, I've
not seen one for Funcaptcha to date. But, it's my opinion that
CAPTCHAs will not be viable in the long run for keeping bots out and
humans in, even if they are quite handy at the moment.

Interestngly, even after the faucet no longer served reCAPTCHA challenges,
or sent responses for validation, Google's reCAPTCHA stats show that
the key is still in use. The only logical conclusion I can draw from this
is that either their statistics are wrong, or that the keypair was somehow
compromised.

Although these requets are trending down, it's still quite alarming that
there are any requests being made for these days in the first place. If
you're using reCAPTCHA for your faucet, you may want to consider
alternatives. As always, keep in mind that no CAPTCHA will ever be
perfect or stop 100% of bots 100% of the time.

On Anti-Bot Measures

Naturally, I've had my fair share of bot attacks, even in the first two
weeks of running my faucet. When you build a well, some people will come
with a bucket, and even more will come with a dredge pump. It's just a
fact of life. The real problem to solve is making sure that the guy
with the dredge pump can't drain the well dry, so that there's plenty
to go around for all the users who come with their buckets in hand.

That said, here are some common "countermeasures" I've seen passed
around that aren't all that effective. If you're using any of these
methods, please give the points below some thought.

Claim Button Timeouts / "I'm a human" Checkboxes

Even non-humans are capable of checking a checkbox, considering that a
lot of these bots are not merely scripts, but scripts running in a
browser.

As a user, I've seen some of these with rather long timeouts, or cases
where the button doesn't appear at all. Both are equally irritating for
a user. Such checkboxes may catch some small-time scripts, but in the
long run a CAPTCHA alone will be a better defense.

Anti-bot Links

These are the most annoying things for a user, and in many cases I've
personally seen, these "features" are used merely to click-bait users
instead of really stopping bots. As a user, I've always found this to
be a major pain in the ass. Furthermore, click-baiting users is a
violation of the TOS of most ad networks!

Let's consider how this works. The user must click the links in a
predefined order, and uses an image to show the user the order in
which they must be clicked. This order is communicated to the
server via a form field.

If the links have been clicked, the "claim" button appears, and all
should be well. When the form is submitted, the value from the form
field is compared with data associated with that session. If this
matches, and the request was submitted within some seconds of when the
link order was first generated, then it's assumed the user is not a bot.

Even without OCRing the image, with 3 links, the bot still has a 1 in
9 chance of guessing the correct order. With 5 links, 1 in 120; and with
10 links, 1 in 3,628,000. So, for this to even be marginally effective
you'd have to have a good number of these links strewn throughout your
page. Furthermore, you'd have to invent many different ways of
instructing the user to click the links. Over time this will be
increasingly difficult to maintain, and will become easier for bots
to solve.

This will only serve to drive away more users as it becomes necessary to
increase the complexity of such a solution. Keep in mind, Moore's Law also
applies to botnets, and Murphy's Law applies to the rest of us.

Port Detection

Some faucets will block users who are coming from IP addresses that also
expose ports 80 (http), 443 (https), 8080 (http-proxy), and more. While
this may seem like a prudent measure, in that it would be atypical for a
normal internet user to be running a webserver or proxy on their machine.

However, let's consider a common case. The user is behind a NAT that
exposes a web interface, or acts as a MTA. This is a pretty common setup
on some networks, and the exposure of some services is completely
unintentional. Should the users who happen to be behind these NATs pay
for the incompetence of the entity routing their traffic? I think not.

The second thing to consider is that each time you probe for a port, what
you're really doing is slowing down the response time back to the user.
Each port you attempt to connect will incur a certain amount of network
latency. The timeout would have to be fairly high (around 250 ms or more)
in order to reliably detect the open port. In a lot of setups, the default
will be 30 seconds or so per connection attempt.

In cases where the port isn't open at all, this will add the entire amount
of the delay to the response time for your user. Thus, your faucet will
appear sluggish and unresponsive, and a large number of requests to your
site will timeout, leading users to believe that it doesn't work at all.

Long story short, you're only going to drive away good users. While this
will catch some bots, it won't stop many of them, and it's certainly not
more effective than other measures. Want proof? Check out my stats for
Oct 26th in the graphs above. I ran a test with some port detection logic
for the whole day, just to see whether or not it would be effective, and
you can clearly see it had little to no impact on traffic or payouts. For
the record, I was blocking any hosts that exposed any of these ports:
80, 443, and 8080.

Conclusion

It's been a great two weeks since starting my faucet. I've seem my fair
share of action, and I'm looking forward to serving more and more users.
Peroonally, I think that faucets being plenty of people's first step into
bitcoin, and cryptocurrency in general, to make for a nice little niche.

In a future article, I'll write more about my own anti-bot measures,
thoughts on bitcoin based advertiseing networks, and other things. So,
stay tuned, and make sure to stop by the faucet and claim your
free satoshi if you ain't done so in the last 60 minutes.